Re: [ovirt-users] How to mapping LDAP users in AAA
Sun Java Access System Manager 在 14-10-14 下午1:52, Yair Zaslavsky 写道: - Original Message - From: lofyer lof...@gmail.com To: users users@ovirt.org Sent: Tuesday, October 14, 2014 5:10:56 AM Subject: [ovirt-users] How to mapping LDAP users in AAA I've got a LDAP server without kerberos and I am trying to intergrate its users to oVirt-3.5 with AAA. == Which ldap server is that, what vendor? /etc/ovirt-engine/aaa/example.properties: include = openldap.properties vars.user = cn=directory manager vars.password = mypassword vars.server = example.com #pool.default.ssl.startTLS = false #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem #pool.default.ssl.truststore.password = admin pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} == This is my basic ldap infomation: ou=Groups | + cn=UserGroup1 | + cn=UserGroup2 ou=UserGroup1 | + cn=user1 | + cn=user2 ou=UserGroup2 | + cn=user3 | + cn=user4 == Now I can see example.com in web portal but I cannot list users in UG1 or UG2. I find that I could map DN, ID NAME, DISPLAY in the config file. What should I add in the config file then? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] How to mapping LDAP users in AAA
- Original Message - From: lofyer lof...@gmail.com To: users users@ovirt.org Sent: Tuesday, October 14, 2014 5:10:56 AM Subject: [ovirt-users] How to mapping LDAP users in AAA I've got a LDAP server without kerberos and I am trying to intergrate its users to oVirt-3.5 with AAA. == /etc/ovirt-engine/aaa/example.properties: You need to create two extensions, one for authentication and another for authorization at /etc/ovirt-engine/extensions.d/ see[1], both should refer to your example.properties. But I see you created these based on bellow. [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l17 include = openldap.properties vars.user = cn=directory manager are you sure this ^ is the full dn of the user? vars.password = mypassword vars.server = example.com #pool.default.ssl.startTLS = false #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem #pool.default.ssl.truststore.password = admin pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} == This is my basic ldap infomation: ou=Groups | + cn=UserGroup1 | + cn=UserGroup2 ou=UserGroup1 | + cn=user1 | + cn=user2 ou=UserGroup2 | + cn=user3 | + cn=user4 == Now I can see example.com in web portal but I cannot list users in UG1 or UG2. in admin portal? I find that I could map DN, ID NAME, DISPLAY in the config file. What should I add in the config file then? you do not need to touch these... 1. which version of ovirt-engine do you use? 2. which version of ovirt-engine-extension-aaa-ldap do you use? what is your root dse? $ ldapsearch -H ldap://example.com -b '' -x -D 'cn=directory manager' -w mypassword -s BASE seek namingContexts it should contain first entry a suffix for all objects. if you try to search users within Users add tab within webadmin and find nothing and rootdse is ok please modify /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in and set: file-handler name=SERVER --- find this level name=FINEST/ --- modify this logger category=org.ovirt.engineextensions.aaa.ldap --- add this level name=FINEST/ --- add this /logger --- add this logger category=com.arjuna --- find this stop engine remove /var/log/ovirt-engine/engine.log start engine try to search send me engine.log Regards, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] How to mapping LDAP users in AAA
- Original Message - From: lofyer lof...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com Cc: users users@ovirt.org Sent: Tuesday, October 14, 2014 9:29:57 AM Subject: Re: [ovirt-users] How to mapping LDAP users in AAA Sun Java Access System Manager this is not openldap... why do you use openldap profile? please attach full export of this ldap server, output of: rootdse: $ ldapsearch -H ldap://example.com -b '' -x -D 'cn=directory manager' -w mypassword -s BASE entities: $ ldapsearch -o ldif-wrap=no -E pr=100/noprompt -H ldap://example.com -x -D 'cn=directory manager' -w mypassword -b NAMING_CONTEXT 在 14-10-14 下午1:52, Yair Zaslavsky 写道: - Original Message - From: lofyer lof...@gmail.com To: users users@ovirt.org Sent: Tuesday, October 14, 2014 5:10:56 AM Subject: [ovirt-users] How to mapping LDAP users in AAA I've got a LDAP server without kerberos and I am trying to intergrate its users to oVirt-3.5 with AAA. == Which ldap server is that, what vendor? /etc/ovirt-engine/aaa/example.properties: include = openldap.properties vars.user = cn=directory manager vars.password = mypassword vars.server = example.com #pool.default.ssl.startTLS = false #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem #pool.default.ssl.truststore.password = admin pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} == This is my basic ldap infomation: ou=Groups | + cn=UserGroup1 | + cn=UserGroup2 ou=UserGroup1 | + cn=user1 | + cn=user2 ou=UserGroup2 | + cn=user3 | + cn=user4 == Now I can see example.com in web portal but I cannot list users in UG1 or UG2. I find that I could map DN, ID NAME, DISPLAY in the config file. What should I add in the config file then? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] How to mapping LDAP users in AAA
Subject: Re: [ovirt-users] How to mapping LDAP users in AAA Sun Java Access System Manager this is not openldap... why do you use openldap profile? please attach full export of this ldap server, output of: rootdse: $ ldapsearch -H ldap://example.com -b '' -x -D 'cn=directory manager' -w mypassword -s BASE entities: $ ldapsearch -o ldif-wrap=no -E pr=100/noprompt -H ldap://example.com -x -D 'cn=directory manager' -w mypassword -b NAMING_CONTEXT 在 14-10-14 下午1:52, Yair Zaslavsky 写道: - Original Message - From: lofyer lof...@gmail.com To: users users@ovirt.org Sent: Tuesday, October 14, 2014 5:10:56 AM Subject: [ovirt-users] How to mapping LDAP users in AAA I've got a LDAP server without kerberos and I am trying to intergrate its users to oVirt-3.5 with AAA. == Which ldap server is that, what vendor? /etc/ovirt-engine/aaa/example.properties: include = openldap.properties vars.user = cn=directory manager vars.password = mypassword vars.server = example.com #pool.default.ssl.startTLS = false #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem #pool.default.ssl.truststore.password = admin pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} == This is my basic ldap infomation: ou=Groups | + cn=UserGroup1 | + cn=UserGroup2 ou=UserGroup1 | + cn=user1 | + cn=user2 ou=UserGroup2 | + cn=user3 | + cn=user4 == Now I can see example.com in web portal but I cannot list users in UG1 or UG2. I find that I could map DN, ID NAME, DISPLAY in the config file. What should I add in the config file then? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] How to mapping LDAP users in AAA
Hi, In order to help and create a profile for this variant I need the full output of: $ ldapsearch -E pr=100/noprompt -o ldif-wrap=no -H ldap://ids.sdju.edu.cn -x -D 'cn=directory manager' -w mypassword -b 'dc=sdju,dc=edu,dc=cn' Please do not paste but paste. You can send me privately. Regards, Alon - Original Message - From: lofyer lof...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Yair Zaslavsky yzasl...@redhat.com, users users@ovirt.org Sent: Tuesday, October 14, 2014 12:22:03 PM Subject: Re: [ovirt-users] How to mapping LDAP users in AAA Yes, I do add authz and authn in /etc/ovirt-engine/extension.d/ like this == /etc/ovirt-engine/extensions.d/authn-sdju.edu.cn.properties: ovirt.engine.extension.name = authn-sdju.edu.cn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = sdju.edu.cn ovirt.engine.aaa.authn.authz.plugin = authz-sdju.edu.cn config.profile.file.1 = /etc/ovirt-engine/aaa/sdju.edu.cn.properties == /etc/ovirt-engine/extensions.d/authz-sdju.edu.cn.properties: ovirt.engine.extension.name = authz-sdju.edu.cn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/sdju.edu.cn.properties == And here's my log: ldapsearch -H ldap://ids.sdju.edu.cn -b '' -D 'cn=directory manager' -w mypassword -s BASE # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: objectClass: top namingContexts: dc=sdju,dc=edu,dc=cn namingContexts: o=NetscapeRoot supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.13 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Sun Microsystems, Inc. vendorVersion: Sun Java(TM) System Directory Server/5.2_Patch_4 dataversion: 020121212071504020121212071504 netscapemdsuffix: cn=ldap://dc=ids1,dc=sdju,dc=edu,dc=cn:389 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 == ldapsearch -E pr=100/noprompt -H ldap://ids.sdju.edu.cn -x -D 'cn=directory manager' -w mypassword -b ou=JZG,dc=sdju,dc=edu,dc=cn # extended LDIF # # LDAPv3 # base ou=JZG,dc=sdju,dc=edu,dc=cn with scope subtree # filter: (objectclass=*) # requesting: ALL # with pagedResults
[ovirt-users] How to mapping LDAP users in AAA
I've got a LDAP server without kerberos and I am trying to intergrate its users to oVirt-3.5 with AAA. == /etc/ovirt-engine/aaa/example.properties: include = openldap.properties vars.user = cn=directory manager vars.password = mypassword vars.server = example.com #pool.default.ssl.startTLS = false #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem #pool.default.ssl.truststore.password = admin pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} == This is my basic ldap infomation: ou=Groups | + cn=UserGroup1 | + cn=UserGroup2 ou=UserGroup1 | + cn=user1 | + cn=user2 ou=UserGroup2 | + cn=user3 | + cn=user4 == Now I can see example.com in web portal but I cannot list users in UG1 or UG2. I find that I could map DN, ID NAME, DISPLAY in the config file. What should I add in the config file then? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] How to mapping LDAP users in AAA
- Original Message - From: lofyer lof...@gmail.com To: users users@ovirt.org Sent: Tuesday, October 14, 2014 5:10:56 AM Subject: [ovirt-users] How to mapping LDAP users in AAA I've got a LDAP server without kerberos and I am trying to intergrate its users to oVirt-3.5 with AAA. == Which ldap server is that, what vendor? /etc/ovirt-engine/aaa/example.properties: include = openldap.properties vars.user = cn=directory manager vars.password = mypassword vars.server = example.com #pool.default.ssl.startTLS = false #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem #pool.default.ssl.truststore.password = admin pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} == This is my basic ldap infomation: ou=Groups | + cn=UserGroup1 | + cn=UserGroup2 ou=UserGroup1 | + cn=user1 | + cn=user2 ou=UserGroup2 | + cn=user3 | + cn=user4 == Now I can see example.com in web portal but I cannot list users in UG1 or UG2. I find that I could map DN, ID NAME, DISPLAY in the config file. What should I add in the config file then? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users